Professional Documents
Culture Documents
Good Practice Guide Internal Audit Strategy Version DTD 23 April 2018 Gize
Good Practice Guide Internal Audit Strategy Version DTD 23 April 2018 Gize
Good Practice Guide Internal Audit Strategy Version DTD 23 April 2018 Gize
EUROPEAN UNION
April 2018
1|Page
Contents
Introduction Page
Chapter 1 Overview on the Internal Audit Strategy
Chapter 2 Fundamentals for developing an Internal Audit Strategy
Chapter 3 Identifying audit coverage (the audit universe)
Chapter 4 Risk assessing the audit universe
Chapter 5 The Audit Toolbox
Chapter 6 Identifying and procuring skills and resources
Chapter 7 Quality Assurance
Chapter 8 Finalising, submitting and selling the strategy
Chapter 9 Review of the Internal Audit Strategic Plan
Annex A Operational Procedure: Strategic Audit Planning
Annex B Operational Procedure: Strategic Planning – Management
Input
Annex C Template: Strategic Audit Plan
2|Page
INTRODUCTION
Internal audit planning by the Internal Audit Unit (IAU) for the MDAs is
structured at three levels:
The strategic audit plan is the high-level concept of how the internal audit
service will be delivered, and the focus of this Guide is on developing the
three-year strategic internal audit plan.
A systematic and structured process can be used to develop the internal audit
strategic plan, helping to enable the internal audit activity to achieve its vision
and mission.
This guide aims to highlight the range of specific considerations that should
assist the Head Internal Audit Unit (HIAU) to develop a three-year internal
audit strategy relevant to their MDA.
This guide does not set out a “model strategy”; because each MDA is unique,
its risk management, control and governance is unique, and the internal audit
strategy is unique. However, the use of this guide should allow an HIAU to
ensure that they give attention to the key elements of an effective internal
audit strategy.
3|Page
1. Overview of the Audit Strategy
For an internal audit function to remain relevant, it should adapt to changing
expectations and maintain alignment with the objectives of the MDA. The
internal audit strategy is fundamental to remaining relevant — playing an
important role in achieving the balance between cost and value, while making
meaningful contributions to the MDA’s overall governance, risk management,
and internal controls.
The purpose of the audit strategy is to put in place a strategic approach that
will allow the Head of Internal Audit Unit to manage the audit unit in a way
that will facilitate:
The provision to the principal stakeholders an overall opinion each year on the:
The documented audit strategy should set out, at any point in time:
The extent to which internal audit can rely on the MDA’s risk analysis.
Where the MDA risk analysis is not reliable, or not sufficiently well
established within the MDA, then the HIAU will have to undertake
his/her own risk assessment.
The elements of the risk analysis which are regarded as essential for
annual audit review to provide a positive, reasonable assurance to the
principal stakeholders
4|Page
The further coverage of the risk analysis that is necessary to provide a
positive reasonable assurance and to meet the specified assurance
requirements of the principal stakeholders.
The areas of change in the organisation that are being subjected to
systems development audit.
The range of approaches which internal audit plans to deploy.
The assessment of resources required to deliver the audit assurance,
including identification of specialist skills that may be required.
The way in which internal audit and specialist resources will be
procured.
The approach to training and continuing professional development of
internal audit staff to ensure that they are suitably skilled to deliver the
internal audit service.
How the internal audit service will measure its performance, Quality
Assure itself, and seek continuous improvement
Risks that the audit unit itself faces in delivering the strategy and plans
for controlling these risks.
The HIAU must agree the strategy and periodic plans with the principal
stakeholders, ensuring that internal audit’s plans, resource requirements and
any significant interim changes are appropriately communicated to the
principal stakeholders.
Once the strategy is agreed within the MDA a copy should be sent to the
Director IAD MOFED. The Director has overall responsibility for internal audit
within MDAs and this includes a responsibility to ensure that internal audit
strategies follow the processes in this guide, and are also consistent with the
Sierra Leone Public Sector Internal Audit Standards.
5|Page
2. Fundamentals for developing
the Audit Strategy
There are several fundamentals for developing the internal audit strategy:
This risk management review by internal audit should seek evidence of the
following risk management characteristics:
6|Page
risks.
• Assignment of ownership of risks at an appropriate level which has authority
to assign resources in responding to the risks.
• The regular review / revision of the risk analysis.
If the HIAU is not satisfied with any of the above, the issues identified should
be discussed with the principal stakeholders to try to resolve the issues.
7|Page
3. Identifying Audit Coverage
(Audit Universe)
The next stage in developing the audit strategy is consideration of the
coverage of the risk management, control and governance that is required to
provide the principal stakeholders with an opinion.
8|Page
and coordination with management and auditors in the associated
MDAs.
Current knowledge of the organisation’s risk management, control and
governance (including past external audit findings and
recommendations) will inform assessment of the likelihood of there
being (material) deficiencies which may require greater audit coverage.
The adequacy of control exercised over contractors and service
providers will need to be assessed; and
The audit coverage should also take account of significant centrally
driven developments to which organisations are required to respond.
These may include issues such as Information Assurance, Government
Accounting, Health and Safety, and Financial Management.
It should be kept in mind that the most effective audit coverage is gained by a
combination of strategic audits (is risk, control and governance well planned
and directed?) and operational audits (is risk management, control and
governance well executed?). The audit coverage should aim to address both
the question of how well control is planned and how well it operates in
practice.
9|Page
Audit Universe
These considerations will result in an ‘audit universe’. From this the audit work
to be done in any year to be developed, thus leading to the development of
annual audit plans.
Constraints
Resources
The best resource for making these estimates is historic experience of how
long audit work takes to do.
10 | P a g e
4. Risk Assessing the Audit
Universe
From the earlier Chapter it is clear that the risk assessment and evolving
strategy must be built around the auditable units (audit universe).
An advantage of having an audit universe is that it enables the internal audit
function to be clear about the extent of audit coverage of key risks and other
risk areas each year. It can also provide a degree of rigour around areas not
being audited.
Objectives of risk assessing the audit universe
In the absence of a reliable risk assessment within the MDA the main
objectives of the internal audit risk assessment are to:
Allocate limited internal audit resources to areas within the MDA that
are most critical to the success of achieving the MDAs objectives, goals,
deliverables etc – using risk as the basis of assessment;
Increase internal audit efficiency and effectiveness by matching internal
audit resources/effort to risk in the identified auditable units.
Risk assessment process
A well-developed risk assessment model will provide an efficient and
systematic procedure to:
Determine the potential auditable areas within the MDA;
Measure risk in the auditable areas as high, medium or low;
Rank the auditable areas by risk;
Estimate the time necessary to undertake the audit;
Distribute audit resources in the most efficient manner, and
Develop a strategy and annual plans.
Examples of Risk Factors
The combination of factors used in an internal audit risk assessment may be
different for each MDA dependent upon the nature of the MDA operations.
However, the more common risk factors used by internal audit include:
Significance of activity/function as an objective or goal of the MDA
11 | P a g e
Materiality
Potential for fraud, misuse or error
Stability of system – new project, IT development,
Control environment
Assessment at last internal audit
Potential for reputational damage
Extent of computerisation
External assessment e.g. Auditor General reports
Resources
Risk rating
All of the identified auditable units within audit universe should be
rated(scored) for each of the risk factors that HIAU decides to use. There are
numerous methodologies for scoring, some complex which may well be
justified in banking or financial institutions, but if possible keep the rating
system simple but relevant, overall ‘fit for purpose’.
The following are two examples of simple risk ratings to use for each risk
factor:
Risk Score 0 (low)
3 (medium low)
5 (medium)
7 (medium high)
9 (high)
Risk Score 1 (low)
2 (medium)
3 (high)
Risk Rating and Prioritisation
For each auditable area in the audit universe the risk scores for all risk factors
are totalled to obtain a representative total impact and probability score for
each.
Once the total scores have been calculated the list of auditable units can be
sorted from the highest to lowest by their respective total risk score.
Then rank the audit universe based on the result of the risk assessment.
12 | P a g e
Audit Universe – HINTS
HINT 1 – There is an industry around risk management but generally, for public
sector internal audit purposes, risks can be divided into five groups:
Strategic risks
Operational risks
Financial risks
Information risks
External risks
HINT 2 – Assessing resource requirements – minimum unit a day
HINT 3 – Make the resultant strategy/plan look good – professional
HINT 4 – YOU probably no more than others about risks within the MDA so BE
CONFIDENT with resultant strategy and plans.
13 | P a g e
5. The Audit Toolbox
From the guidance given in previous Chapters, it can be seen that an effective
internal audit service for the MDA will require a range of techniques at its
disposal. The audit strategy should aim to set out which techniques will be
used in which circumstances.
Systematic audit - A “full” audit in which every aspect and stage of the
audited subject is considered. It includes review of both the design and
operation of controls.
Compliance audits - Where there is pre-existing confidence that controls
are well designed, but effective operation of the controls is a material
issue, audits that test only for effective operation of controls can be
appropriate e.g. payroll or revenue generating audits.
Key control testing - A review clearly focussed on a small number of
material or key controls.
Quality Assurance Review - Reviewing the approach and competency of
other reviewers rather than reviewing risks and controls direct. Designed
to form an opinion of the reliance that can be placed on the work of
others.
Control and Risk Self-Assessment (CRSA) - A technique in which the
people who run a system or process review their own risks and controls,
usually with a facilitator from internal audit who ensures a structured
approach.
Facilitating CRSA workshops serves as both an assurance technique and
a consultancy technique for internal audit.
Systems Development Audit - Review of plans and designs for new
systems and processes aimed at providing assurance on controls being
designed into future systems and on the adequacy of the project/change
process
14 | P a g e
6. Identifying and procuring skills
and resources
The considerations given to the audit coverage will also reveal any need for
specialist resources in addition to staff the current internal audit staff within
MDAs. These additional skills may include accountants, lawyers, technical or
scientific specialists and specialist IT skills.
For these specialist resources it may not be good value to appoint full time in-
house staff. It may be necessary to consider how to procure these skills to the
extent to which they are required to deliver the audit strategy. If necessary,
appropriate call-off contracts should be set up or arrangements made for joint
working with specialists within the organisation. IAD MOFED should be
consulted when such specialist resources are required as it may be that the
resource can be drawn from another MDA to assist.
As well as planning for specialist skills, the strategy should plan for the ongoing
core audit skills that the MDA internal audit service requires. There should be a
“succession plan” to help identify forthcoming vacancies with a view to
promptly filling with appropriately qualified staff.
The strategy should also include comment on the internal audit functions
training and development needs to ensure that new staff are equipped with
requisite skills as early and as effectively as possible. It is also good
professional practice to consider how the “core” audit staff will maintain their
skills. In particular all core audit staff should be well trained in risk
management issues.
The long-term view of the work which needs to be done informs the
assessment of the number of audit staff required to deliver the internal audit
coverage required by the Vote Controller. Interpreting the estimate of staff
days required to deliver an effective audit service into a staffing plan also
needs to take account of:
Supervision time – all audit work must, in the first instance be subjected
to appropriate quality management through review and supervision.
15 | P a g e
Contingency time – allow an element of time to deal with unforeseen
issues (for example – the emergence of a new risk, or a request from the
Vote Controller or the Audit Committee).
Training time – adequate time for training to ensure that staff are
competent in their work must be allowed.
Follow-up time – adequate time must be allowed to review
management response to audit reports, and in particular in addressing
material weaknesses.
Management and administrative time – allow sufficient time for
strategic management, liaison with the Audit committee, and for the
efficient administration of the internal audit function.
16 | P a g e
7. Quality Assurance
Quality Assurance is the subject of separate good practice guidance. However,
in order that the Vote Controller, Audit Committee and line managers can have
confidence in the internal audit service, the strategy should set out the key
elements of the quality assurance processes deployed by internal audit.
1 The way in which the internal audit service governs and controls itself.
By reference to the Sierra Leone Public Sector Internal Audit Standards.
By reference to guidance such as the Government Internal Audit
Manual.
By reporting to the Audit Committee.
By reporting to the Internal Audit Director MOFED
17 | P a g e
8. Finalising, Submitting and Selling
the Strategy
“To know and understand your customers so well that the product or
service fits and sells itself’
Peter Drucker management consultant whose writings contributed to the philosophical and practical
foundations of modern business.
Often the importance of finalising and submitting the internal audit strategy to
top management and the Audit Committee is overlooked by HIAUs. The final
product should capture the attention of Vote Controllers and Audit
Committees.
The strategy represents the HIAUs vision for the future of internal audit within
the MDA over the coming years. It should be a vehicle for taking the internal
audit function from the ‘back room’ to the ’board room’. The strategy
document should promote a quality, added value and professional internal
audit service that will be available to serve not only the Vote Controller and
the MDA but also the wider Sierra Leone public service.
There follow a few thoughts on how HIAUs might achieve impact with finalising
and selling the internal audit strategy:
18 | P a g e
In taking forward the strategy – identify your ‘champions’ and your
‘challengers’ , then concentrate effort in turning your ‘challengers’ into
‘champions’.
Team build continuously – involve the team at all stages of planning,
encourage continuous improvement – delegate!
19 | P a g e
9. Review of the Internal Audit
Strategic Plan
Similar to the strategic plan for the organization, the internal audit strategic
plan should be periodically reviewed and appropriately updated. The
frequency of review will be determined by the HIAU in conjunction with
discussions with the Vote Controller, Board and Audit Committee. Factors
influencing the frequency of reviews include (but are not limited to):
20 | P a g e
ANNEX A - OPERATIONAL PROCEDURE: STRATEGIC AUDIT PLANNING
Background
Strategic audit planning is the process of identifying the key audit strategic
direction of the IAU for a three-year period. Its format and content shall be
agreed upon, and reviewed annually by the principal stakeholders and the
Head of Internal Audit Unit to take account of changing circumstances of
the MDAs.
Objective
Identifying all the areas of MDA’s activity that require auditing over the three
year period.
Stating how the MDAs key internal control systems and risk management
processes will be reviewed.
Stating how the Internal audit service will be provided, and establishing the
resources and skills required for meeting audit objectives.
21 | P a g e
Procedure
Internal Audit Unit 1. Review the Mission Statement, values and objectives
of the MDAs.
22 | P a g e
ANNEX B
Objective
To seek input from management of the MDA and AC for possible areas of
risks, their likelihood or importance. The input received from management
and AC together with the long-term audit plan should serve as the basis in
arriving at the annual plan for the MDA.
Procedure
Action by: Action:
HIAU
Send a letter or hold discussions with
management of the MDA and Audit
Committee (AC) requesting them to provide
the IAU with their audit needs
Review the requests received from
management and identify the areas which
can be incorporated into the annual audit
plan. (The decision to include a request into
the audit plan should be based on risk
analysis, availability of audit staff, and other
inherent risk associated with the request).
Communicate decision and basis for arriving
at the decision on which areas will be
included in the audit plan to management
and Audit Committee (AC)
Document discussions in an Audit Needs
Assessment Working Paper file.
23 | P a g e
ANNEX C INTERNAL AUDIT STRATEGIC AUDIT PLAN TEMPLATE
1.6
1.7
2. Commentary on the 20xx/xx (last period) strategic and 20xx (the latest
completed) annual plan
2.1
2.2
4. Audit Coverage - Strategic Plan 20xx/xx and Annual Plan for 20xx
(ISSUES RELATED TO THE PROBLEMS AND SUBSTANCE OF AUDIT AREAS, AUDIT PERFORMANCE AND
ADMINISTRATION)
4.1
24 | P a g e
4.2
Administration /
General issues
(strategic objectives)
H 2 1 1 7
M 1 1 3
L 1 1
Procurement
management
Financial
Management
PR & Communication
System Review
Total audits/yr -
5. Auditable areas not covered in audit plan cycle (Including reasons for which
there will be no audit activities)
6. Audit reporting
6.1 ASSIGNMENT LEVEL
25 | P a g e
9. Conclusion
9.1
_________________________________________________
TEL., FAX
____________________________________________
____________________________________________
____________________________________________
APPROVAL INSCRIPTIONS:
____________________________________________
____________________________________________
26 | P a g e